Home > Manage Apps > Manage App Profiles for Microsoft Tenants > API Permissions Required by Default AvePoint Apps for Microsoft Tenants > Cloud Governance
Export to PDFCloud Governance
Refer to the following sections to see the API permissions that should be accepted when you consent to the corresponding apps.
Cloud Governance for Microsoft 365
When you create a Cloud Governance for Microsoft 365 app profile in AvePoint Online Services, the AvePoint Cloud Governance forMicrosoft365 app will be automatically set up in your Microsoft Entra ID.
The table below lists the permissions that should be accepted when you authorize the AvePoint Cloud Governance for Microsoft365 app.
| API | Permission | Type | Purpose | Is newly required? |
|---|---|---|---|---|
| Microsoft Graph | AuditLog.Read.All (Read all audit log data) | Application | Retrieve the user who invited the guest user to the tenant. | No |
| Microsoft Graph | Channel.Create (Create channels) | Application | Create private channels. | No |
| Microsoft Graph | Channel.Delete.All (Delete channels) | Application | Delete private channels. | No |
| Microsoft Graph | ChannelMember.ReadWrite.All (Add and remove members from all channels) | Application | Add members to private channels. | No |
| Microsoft Graph | ChannelMessage.Read.All(Read all channel messages) | Application | Retrieve Microsoft Teams channel conversations for team inactivity threshold calculation. | No |
| Microsoft Graph | ChannelSettings.ReadWrite.All (Read and write the names, descriptions, and settings of all channels) | Application | Update private channel properties. | No |
| Microsoft Graph | Community.ReadWrite.All(Read and write all Viva Engage communities) | Application | Create a new community in Viva Engage. | No |
| Microsoft Graph | Directory.Read.All(Read directory data) | Application | Retrieve information from your organization’s Active Directory. | No |
| Microsoft Graph | Files.Read.All(Read files in all site collections) | Application | Retrieve the URLs of the group team sites. | No |
| Microsoft Graph | Group.ReadWrite.All (Read and write all groups) | Application | Create and manage groups/teams. | No |
| Microsoft Graph | InformationProtectionPolicy.Read.All(Read all published labels and label policies for an organization) | Application | Manage sensitivity labels. | No |
| Microsoft Graph | Mail.Send(Send mail as any user) | Application | Use a Microsoft 365 account as the email sender to send notification emails. | No |
| Microsoft Graph | Member.Read.Hidden (Read all hidden memberships) | Application | Read the members of a group/team with hidden membership to copy members. | No |
| Microsoft Graph | Policy.Read.All(Read your organization's policies) | Application | Retrieve your organization’s policies. | No |
| Microsoft Graph | Reports.Read.All (Read all usage reports) | Application | Get user activities to filter active workspaces. | No |
| Microsoft Graph | Sites.FullControl.All(Have full control of all site collections) | Application | Manage content types. | No |
| Microsoft Graph | Sites.Read.All (Read items in all site collections) | Application | Retrieve the latest site collection URLs. | No |
| Microsoft Graph | Team.Create (Create teams) | Application | Create teams. | No |
| Microsoft Graph | TeamMember.ReadWrite.All(Add and remove members from all teams) | Application | Add or remove members from teams. | No |
| Microsoft Graph | TeamSettings.ReadWrite.All (Read and change all teams' settings) | Application | Retrieve and update team settings. | No |
| Microsoft Graph | User.Invite.All(Invite guest users to the organization) | Application | Invite guest users to groups/teams. | No |
| Microsoft Graph | User.ReadWrite.All (Read and write all users' full profiles) | Application | Retrieve and update user properties. | No |
| Microsoft Graph | User.Read(Sign in and read user profile) | Delegated | Search for users and retrieve user information. | No |
| Office 365 Management APIs | ActivityFeed.Read(Read activity data for your organization) | Application | Retrieve activity data in your organization. | No |
| SharePoint/Office 365 SharePoint Online | Sites.FullControl.All | Application | Retrieve and manage SharePoint objects. | No |
| SharePoint/Office 365 SharePoint Online | TermStore.ReadWrite.All(Read and write managed metadata) | Application | Retrieve term store information. | No |
| SharePoint/Office 365 SharePoint Online | User.Read.All(Read user profiles) | Application | Retrieve user properties from user profiles. | No |
| Microsoft Information Protection Sync Services | UnifiedPolicy.Tenant.Read(Read all unified policies of the tenant) | Application | Retrieve sensitivity labels in your organization.*Note: This API is used when sensitivity labels cannot be retrieved by the Microsoft Graph API. | No |
Cloud Governance for Exchange
When you create a Cloud Governance for Exchange app profile in AvePoint Online Services, the AvePoint Cloud Governance Exchange App will be automatically set up in your Microsoft Entra ID.
The table below lists the permissions that should be accepted when you authorize the AvePoint Cloud Governance Exchange App.
| API | Permission | Type | Purpose | Is newly required? |
|---|---|---|---|---|
| Microsoft Graph | User.Read(Sign in and read user profile) | Delegated | Search for users and retrieve user information. | No |
| Office 365 Exchange Online | full_access_as_app(Use Exchange Web Services with full access to all mailboxes) | Application | Create Microsoft 365 Groups/teams and update their properties. | No |
| Office 365 Exchange Online | Exchange.ManageAsApp(Manage Exchange as application) | Application | Provision and manage shared mailboxes, distribution lists, and mail-enabled security groups. Update Microsoft 365 Group properties. | No |
Cloud Governance for Power Platform
When you create a Cloud Governance for Power Platform app profile in AvePoint Online Services, the AvePoint Cloud Governance forPower Platform app will be automatically set up in your Microsoft Entra ID.
The table below lists the permissions that should be accepted when you authorize the AvePoint Cloud Governance for Power Platform app.
| API | Permission | Type | Purpose | Is newly required? |
|---|---|---|---|---|
| Dynamics CRM | user_impersonation(Access Common Data Service as organization users) | Delegated | Manage Power Apps and Power Platform environments. | No |
| Microsoft Graph | Directory.Read.All(Read directory data) | Application | Retrieve information from your organization’s Active Directory. | No |
| Power BI Service | Tenant.Read.All(View all content in tenant) | Delegated | Retrieve information of Power BI workspace. | No |
| Power BI Service | Tenant.ReadWrite.All(Read and write all content in tenant) | Delegated | Update Power BI workspace roles. | No |
| Power BI Service | Workspace.ReadWrite.All(Read and write all workspaces) | Delegated | Delete Power BI workspaces. | No |
| PowerApps Service | User(Access the PowerApps Service API) | Delegated | Retrieve information of Power Apps. | No |
| PowerPages Service | PowerPages.Websites.Read(Read Power Pages websites) | Delegated | Manage Power Pages sites. | No |
| PowerPages Service | PowerPages.Website.Write(Write Power Pages websites) | Delegated | Manage Power Pages sites. | No |
Cloud Governance Delegated App
When you create an app profile for Cloud Governance delegated app in AvePoint Online Services, the AvePoint Cloud Governance Delegated App will be automatically set up in your Microsoft Entra ID.
The table below lists the permissions that should be accepted when you authorize the AvePoint Cloud Governance Delegated App.
| API | Permission | Type | Purpose | Is newly required? |
|---|---|---|---|---|
| Microsoft Graph | Group.ReadWrite.All(Read and write all groups) | Delegated | Retrieve and update Microsoft 365 Group’s information. | No |